Do You Know Who Your Cloud Vendor Contracts to Handle Your Data?

Cloud-based applications, also called Software as a Service (SaaS), have become the mainstay of many businesses these days. It makes sense to move many applications to the cloud because of the reduced costs of those applications and the increased speed with which they propagate through the organization, but the convenience of cloud doesn’t come without some risk.

One risk that is often overlooked is the risk that is inherently involved with data. In the case of cloud-based apps, the concerns associated with data are usually focused on the security of the applications that access the data. Many organizations fail to think further about where data resides, who has control over it, and how a vendor’s outsourcing habits can affect the end user’s data.

Outsources Outsourcing

What some organizations don’t realize is that many SaaS providers don’t have data centers. Instead, they outsource the storage of data to a data center provider. Even if a cloud service provider doesn’t outsource the storage of its data to a dedicated data center, it may have a colocation system where it rents part of a data center. This means that although the service provider maintains control of your data, it is not housed at the provider’s physical location. In fact, these colocation services make it impossible for a SaaS provider to maintain complete control over your data.

That’s not to say that your data is unsafe. It simply means the picture gets a little murkier when you start considering who is actually handling your data. Where is it stored? How difficult will it be to get the data back should your organization decide change vendors? The big question: What regulations, laws, and compliance issues might need to be considered based on the physical location of the data storage?

What Does and Doesn't Matter?

From a regulatory standpoint, not every organization is affected by the physical location of data storage facilities. One question to ask is how sensitive is the data that’s collected, stored, and accessed by outsourced applications? For some organizations, the data might be innocuous. For organizations that handle highly sensitive data, however, a deeper look at how a cloud service provider handles that data might be in order.

Organizations considering moving to cloud-based or SaaS applications should ask the application providers the hard questions about how data is handled. Where is it stored? Has the storage facility been certified as trustworthy by a third-party trusted standards body? What an organization should look for is complete transparency in the way its data is handled and protected.

Transparency and Accountability

The true test of how a chosen cloud provider handles your data is the vendor’s willingness to provide transparency in how and where your data is handled and its willingness to take accountability in the event there is a data breach. Data breaches are the top concern any time data is outsourced to another location. Who holds responsibility for the breach? Although it is your data, and ultimately your organization bears the responsibility for it, will your vendor step back and allow you to shoulder that burden alone? Is there something in your contract with the vendor that outlines who is responsible if an outsourced data warehousing provider allows a breach of your data? Will the vendor step up? Does the vendor have a contract with the data warehouse provider that holds that provider responsible?

When it comes to customer data, no matter how sensitive, ultimately the customer will look at you if something goes wrong. Are you prepared to take that risk? What repercussions have your cloud-service providers agreed to if their vendors fall short on expectations? These are tough questions, but take the time to get them answered because your customers will expect those answers if something goes wrong.

About the Author

Jerri Ledford has been writing about business technology for more than 20 years. Her articles, profiles, news stories, and reports have appeared in such venues as Intelligent Enterprise, Network World, Information Security Magazine, DCM Magazine, and CRM Magazine. She develops and teaches technology courses for enterprises such as Sony, HP, and CNET and is the author of 19 business technology books, including Google Analytics and The SEO Bible. Jerri is a Studio B analyst.